Embed Size (px)
Citation preview
VIRGINIA STATE BAR
REPORT ON AUDIT
FOR THE YEAR ENDED
JUNE 30, 2018
Auditor of Public Accounts Martha S. Mavredes, CPA www.apa.virginia.gov
(804) 225-3350
AUDIT SUMMARY
Our audit of the Virginia State Bar for the fiscal year ended June 30, 2018, found:
proper recording and reporting of all transactions, in all material respects, in the Commonwealth’s accounting and financial reporting system and Virginia State Bar’s internal accounting system;
instances involving internal control and its operation necessary to bring to management’s attention; and
instances of noncompliance with applicable laws and regulations or other matters that are required to be reported.
- T A B L E O F C O N T E N T S -
Pages AUDIT SUMMARY AUDIT FINDINGS AND RECOMMENDATIONS 1-2 AGENCY HIGHLIGHTS 3-5 INDEPENDENT AUDITOR’S REPORT 6-7 AGENCY RESPONSE 8 AGENCY OFFICIALS 9
1 Fiscal Year 2018
AUDIT FINDINGS AND RECOMMENDATIONS
Improve Oversight of Third-Party Service Providers Type: Internal Control and Compliance Repeat: No
During the fiscal year in review, Virginia State Bar (State Bar) did not protect their externally hosted sensitive data in accordance with the Commonwealth’s Hosted Environment Information Security Standard, SEC 525 (Security Standard). The State Bar stored and processed data that was sensitive in regards to confidentiality, integrity, and availability on both internal and externally hosted information technology (IT) systems. However, they did not follow required protocols to ensure the protection of externally hosted data.
Specifically, State Bar relied on three vendors, Virginia Interactive, Microsoft, and Barracuda, to
host and process sensitive data. State Bar’s policies and processes to ensure data protection by these vendors did not include the certain requirements from the Security Standard. Specifically, State Bar did not:
include IT systems and data hosted on their behalf by third-party vendors in the data sensitivity and classification listing (Security Standard, section 4);
document external IT systems (and other required details) with which data was shared (Security Standard, section CA-3-COV and sub-sections);
define and document agency and third-party roles and responsibilities in their contracts with vendors as required by internal policy (Security Standard, section SA-9 (b));
provide evidence of an enforceable agreement with one of their third-party vendors, Barracuda, requiring the third party to comply with the Commonwealth’s information security controls (Security Standard, section SA-9 (a)); and
document their annual reviews and determinations of possible compensating controls of deficiencies found in third parties’ independent audit reports (Security Standard, sections SA-8 and SA-9-COV-3 (1)).
The omission of these controls introduced several weaknesses into State Bar’s IT environment.
State Bar risked not applying appropriate controls to those systems and not gaining assurance over their third-party providers’ IT environments. In addition, they did not provide adequate oversight of the third-party providers; nor did they consistently validate that the providers had effective security controls to protect the State Bar’s sensitive data. Finally, by not documenting an annual review of independent audit assurance and implementing possible compensating controls for each third-party service provider, State Bar did not ensure an adequate level of security controls, thus putting its sensitive data at risk.
2 Fiscal Year 2018
In the last two years, the State Bar experienced turnover of the Information Security Officer and the Director of IT positions. As a result, the agency did not implement internal policies and processes, which contributed to inadequate protection of data stored and processed by third-party vendors. State Bar has recently taken steps to improve its oversight of third-party service providers, including adding a policy requirement to document review of independent audit reports and consideration of possible compensating controls to offset any vendor deficiencies. They have also obtained the services of a cybersecurity planning firm to assist in the development of their information security program with the goal of achieving full compliance with the IT service provider control requirements.
State Bar should continue to take measures to ensure that third-party vendors adhere to the same security controls that govern their internal IT systems, maintaining continued oversight over third-party vendors to confirm overall compliance with the requirements outlined in the Security Standard. Finally, they should continue to improve their information security program.
Comply with Federal Regulations for Documentation of Employment Eligibility Type: Internal Control and Compliance Repeat: No
The State Bar did not properly complete Employment Eligibility Verification (I-9) forms for some new employees. For four of six employees (67%) tested, the preparer and/or translator certification on Form I-9 Section 1 was not completed. For two of six employees (33%), the employment start date on Form I-9 Section 2 did not agree to the start date indicated in agency records.
The Immigration Reform and Control Act of 1986 requires that all employers complete an I-9 Form to verify both identity and employment eligibility for all employees hired after November 6, 1986. Additionally, the U.S. Department of Homeland Security’s Guidance for Completing Form I-9 Handbook for Employers issued by the U.S Citizenship and Immigration Services prescribes federal requirements for completing I-9 Forms. Not complying with federal requirements could result in civil and/or criminal penalties and debarment from government contracts.
Employees in the Human Resources (HR) department indicated they were unaware of the specific instructions for the completion of the Form I-9. HR personnel did not realize that the first day of employment on Form I-9 should agree to the date as stated on the employment offer letter and agency payroll records.
HR management should communicate I-9 requirements and provide adequate training and resources to HR personnel responsible for I-9 completion to reinforce the expectation of compliance with the applicable federal requirements. In addition, HR management should perform an adequate review of I-9 forms completed by personnel to ensure accurate completion and compliance with federal statutes and regulations.
3 Fiscal Year 2018
AGENCY HIGHLIGHTS
The State Bar is an administrative agency of the Supreme Court of Virginia and is governed by an Executive Committee and 81-member Bar Council. The State Bar’s primary mission is the regulation, improvement, and education of members of the legal profession. All persons practicing law in Virginia must be members of the State Bar. In addition to other responsibilities, the State Bar initiates and prosecutes lawyer disciplinary actions.
The State Bar records most of its financial operating activities in the Commonwealth’s accounting and financial reporting system under the Regulation of Professions and Occupations program. They maintain separate detailed internal records for the Administration and Finance Fund and the Clients’ Protection Fund and report these in summary format. In addition to its financial operating activities, State Bar transfers funds to affiliated parties for legal defense.
Table 1 shows the State Bar’s sources of operating revenue for the dedicated special revenue fund.
Analysis of Actual Operating Revenues for the Year Ended June 30, 2018
Table 1
Revenues
Percentage of Total Revenues
Membership dues $ 9,994,405 71%
Miscellaneous revenue 2,539,780 18%
Clients’ Protection Fund collections 823,867 6%
Fines and costs 555,612 4%
Administration and Finance Fund collections 110,438 1%
Total operating revenues $14,024,102 100% Source: Commonwealth accounting and financial reporting system
Membership dues provide the primary funding for operations. For fiscal year 2018, total
operating revenues totaled approximately $14.0 million, a decrease of approximately $88,327 from prior year total operating revenues.
State Bar is the trustee for the Clients’ Protection Fund, a separate account that compensates clients for injuries or losses resulting from the dishonest conduct of a State Bar member. The Fund’s main sources of revenue include an annual mandatory assessment on all active Virginia State Bar members, interest on investments, and reimbursements from attorneys for client settlement payments. As of June 30, 2018, the Clients’ Protection Fund had a balance of $9,555,935.
State Bar records Administration and Finance Fund collections as revenues in the Commonwealth’s accounting and financial reporting system and then transfers the amounts collected to a separate account and records all activities related to the Fund in their internal accounting system. This fund accounts for meeting revenue and expenses related to the annual meeting and other official
4 Fiscal Year 2018
functions of the State Bar. State Bar’s annual meeting registration fees generate the Administration and Finance Fund’s revenue and pays for the meetings according to the rules of the Supreme Court. As of June 30, 2018, the Fund’s balance was $242,993.
Miscellaneous revenues consist primarily of mandatory continuing legal education fees, section
dues, seminar registrations, mandatory professionalism course registrations, lawyer referral service revenue, and professional corporation registration.
Table 2 shows the State Bar’s original budget, final budget, and actual expenses.
Analysis of Budgeted and Actual Expenses for the Year Ended June 30, 2018 Table 2
Original Budget Final Budget
Actual Expenses
General fund $ 4,791,644 $ 4,791,489 $ 4,791,479
Legal aid services special revenue fund 7,350,000 7,350,000 6,405,653
Dedicated special revenue 14,835,813 14,835,813 13,262,938
Total $26,977,457 $26,977,302 $24,460,070 Source: Commonwealth’s accounting and financial reporting system
State Bar transferred $4.35 million in General funds to the Legal Services Corporation of Virginia
(Corporation), as required by Chapter 836, 2017 Acts of Assembly. The Corporation provides civil legal services for needy Virginians. In addition, State Bar transferred the special revenue it received from circuit court civil filing fees, totaling approximately $6.4 million in fiscal year 2018, to the Corporation. They also transferred $352,500 in General funds to the Virginia Capital Representation Center (Center). The Center is a separate not-for-profit corporation with its own board, which offers assistance or consultation to death-sentenced inmates, and defendants charged with or convicted of a federal or state capital crime in Virginia. Additionally, State Bar transferred $75,000 in General funds to the Community Tax Law Project, as required by Chapter 836, 2017 Acts of Assembly. The Community Tax Law Project provides legal assistance to low income taxpayers and to nonprofit start-up organizations whose mission is to assist low-income individuals.
State Bar accounts for operating expenses in the dedicated special revenue fund which totaled
approximately $13.3 million in fiscal year 2018, $325,722 less than in fiscal year 2017. Chart 1 shows actual expenses for fiscal year 2018 broken down by type of expense.
5 Fiscal Year 2018
Analysis of Actual Expenses for Fiscal Year 2018 Chart 1
Source: Commonwealth’s accounting and financial reporting system *Other Expenses include Supplies and Materials, Equipment, and Continuous Charges
$9,139,474 37%
$2,125,940 9%
$1,001,564 4%
$10,755,653 44%
$1,437,440 6%
Personal Services
Contractual Services
Other Expenses
Legal Services Corporation ofVirginia
Transfer Payments
6 Fiscal Year 2018
July 18, 2019 The Honorable Ralph S. Northam Governor of Virginia The Honorable Thomas K. Norment, Jr. Chairman, Joint Legislative Audit and Review Commission
We have audited the financial records and operations of the Virginia State Bar (State Bar) for the year ended June 30, 2018. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Audit Objectives
Our audit’s primary objectives were to evaluate the accuracy of recorded financial transactions in the Commonwealth’s accounting and financial reporting system and State Bar’s internal accounting system, review the adequacy of the State Bar’s internal controls, and test compliance with applicable laws, regulations, contracts, and grant agreements. Audit Scope and Methodology
The State Bar’s management has responsibility for establishing and maintaining internal control and complying with applicable laws, regulations, contracts, and grant agreements. Internal control is a process designed to provide reasonable, but not absolute, assurance regarding the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws, regulations, contracts, and grant agreements.
We gained an understanding of the overall internal controls, both automated and manual,
sufficient to plan the audit. We considered significance and risk in determining the nature and extent of our audit procedures. Our review encompassed controls over the following significant cycles, classes of transactions, and account balances.
7 Fiscal Year 2018
Revenue Expenses (including payroll) Information system security
We performed audit tests to determine whether the State Bar’s controls were adequate, had been placed in operation, and were being followed. Our audit also included tests of compliance with provisions of applicable laws and regulations. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of the State Bar’s operations. We performed analytical procedures, including budgetary and trend analyses. We also tested details of transactions to achieve our objectives.
A nonstatistical sampling approach was used. Our samples were designed to support conclusions about our audit objectives. An appropriate sampling methodology was used to ensure the samples selected were representative of the population and provided sufficient, appropriate evidence. We identified specific attributes for testing each of the samples and when appropriate, we projected our results to the population. Conclusions
We found that the State Bar properly stated, in all material respects, the amounts recorded and reported in the Commonwealth’s accounting and financial reporting system and State Bar’s internal accounting system. The financial information presented in this report came directly from the Commonwealth’s accounting and financial reporting system and State Bar’s internal accounting system.
We noted certain matters involving internal control and its operation and compliance with applicable laws, regulations, contracts, and grant agreements that require management’s attention and corrective action. These matters are described in the section entitled “Audit Findings and Recommendations.” Exit Conference and Report Distribution
We discussed this report with management on August 27, 2019. Management’s response to the finding identified in our audit is included in the section titled “Agency Response.” We did not audit management’s response and, accordingly, we express no opinion on it.
This report is intended for the information and use of the Governor and General Assembly, management, and the citizens of the Commonwealth of Virginia and is a public record.
AUDITOR OF PUBLIC ACCOUNTS DGS/vks
8 Fiscal Year 2018
9 Fiscal Year 2018
VIRGINIA STATE BAR As of June 30, 2018
Doris E. H. Causey, President
Leonard C. Heath, Jr., President-elect Michael W. Robinson, Immediate Past President
Karen A. Gould, Executive Director and Chief Operating Officer
EXECUTIVE COMMITTEE
Brian L. Buniva Christopher R. Fortier, Ex-Officio Marni E. Byrum Robert E. Hawthorne, Ex-Officio
Carole H. Capsalis, Ex-Officio Beverly P. Leatherbury Nancy C. Dickenson Bernard A. McGraw, Ex-Officio Eugene M. Elliott, Jr. Jay B. Myerson
